Skip Repetitive Navigation Links
California State Auditor Logo COMMITMENT • INTEGRITY • LEADERSHIP

Gaps in Oversight Contribute to Weaknesses in the State's Information Security
High Risk Update—Information Security

Report Number: 2018-611

Introduction

Background

Numerous retailers, financial institutions, and government agencies have reported data security incidents that compromised the integrity, confidentiality, or availability of their information, some of which resulted in the disclosure of that information to unauthorized parties. For example, in 2017 a nationwide consumer reporting agency suffered a data breach involving the personal information of more than 145 million Americans. In 2016 the Securities and Exchange Commission experienced a breach of its database that stores corporate disclosures, resulting in unauthorized access to nonpublic information.

California's State Administrative Manual (SAM) describes the State's information assets, including its data processing capabilities, information technology infrastructure, and data, as an essential public resource. In fact, for many state entities, program operations would effectively cease in the absence of key computer systems, and in some cases, the failure or disruption of a system would immediately jeopardize public health and safety. If state information systems and resources should become unavailable, this could potentially have a detrimental impact on the state economy and on the residents who rely on state programs.

In addition to disrupting the State's ability to operate, data breaches have significant financial costs. According to a 2018 report published by IBM Security and the Ponemon Institute, the average total cost of a data breach in 2017 was $3.86 million.

Ponemon Institute, 2018 Cost of a Data Breach Study: Global Overview, IBM, July 2018.

However, the report noted that larger breaches of 50 million records or more can cost $350 million on average. Given the amount of data the State maintains, the financial cost of a data breach and the damage to its credibility and reputation could be significant. Moreover, a breach involving disclosure of personal information could be detrimental to residents if, for example, an unauthorized person acquired that information and used it to commit identity theft.

The consequences of a data breach highlight the importance of information security in both the public and private sectors. Information security refers to protecting information, information systems, equipment, software, and people from a wide spectrum of threats and risks. Implementing appropriate security measures and controls is critical to ensuring the confidentiality, integrity, and availability of both the information and the information systems that state entities need to accomplish their missions, fulfill their legal responsibilities, and maintain their day-to-day operations. Information security is also the means by which state entities can protect the privacy of the personal information they hold, such as their employees' Social Security numbers and home addresses.

Information Security Roles and Responsibilities

The California Department of Technology (technology department) is responsible for providing direction for the State's information security. State law generally requires state entities within the executive branch that are under the Governor's direct authority (reporting entities) to comply with the information security practices that the technology department prescribes and to annually report to the technology department on their compliance with these practices. However, state law does not apply the technology department's policies and procedures to entities that fall outside of the Governor's direct authority (nonreporting entities), such as constitutional offices and those in the judicial branch.

State law and SAM require reporting entities to perform risk assessments and independent information security assessments. Specifically, SAM requires reporting entities to conduct a comprehensive risk assessment every two years to evaluate their risk management strategy and to perform periodic vulnerability scanning and penetration testing. In addition, state law permits the California Military Department (military department) to perform independent assessments. State law also requires entities to provide the technology department with the results of these assessments.

Information security falls within the scope of the Assembly Privacy and Consumer Protection Committee (Privacy Committee) and the Assembly Select Committee on Cybersecurity (Cybersecurity Committee). The Privacy Committee has jurisdiction over matters related to privacy, the protection of personal information, the security of data, and information technology, among others. It is also responsible for oversight of the technology department. The purpose of the Cybersecurity Committee is to examine information security vulnerabilities, assess resources, examine current cybersecurity policy for state networks, and develop partnerships to manage and respond to threats.

Information Security Standards

State law provides the technology department with the responsibility and authority to create, issue, and maintain policies, standards, and procedures governing information security for state agencies. Chapter 5300 of SAM (SAM 5300) provides the security and privacy policy standards with which reporting entities must comply and notes that the State has adopted the National Institute of Standards and Technology Special Publication 800-53 (NIST 800‑53) as its minimum information security control requirements. NIST 800‑53 provides security and privacy controls for federal information systems and organizations. In addition to the state and federal government standards, certain international standards for information security may also be applied to organizations. Nonreporting entities may also be subject to industry-specific information security requirements. For example, some health care programs follow federal privacy and information security‑related requirements, such as the Health Insurance Portability and Accountability Act of 1996. Moreover, some nonreporting entities choose to adopt one or more standards to address their specific needs. Although multiple standards for information security exist, the standards most commonly used by the 33 nonreporting entities we reviewed are SAM 5300, NIST 800-53, and information security standards established in the International Organization for Standardization and the International Electrotechnical Commission 27000 family of standards (ISO/IEC 27000 family). Figure 1 describes these standards.

Figure 1
Information Security Standards

A series of three outline map images that demonstrate the applicability of the information security standards most commonly used by the 33 nonreporting entities we surveyed.

Source: ISO/IEC 27000 family, NIST 800-53, and SAM 5300.

Although they are not required to follow SAM 5300, many nonreporting entities have adopted these or other comparable standards. Standards provide requirements for establishing, implementing, maintaining, and continually improving an entity's information security management system. The entity's needs and objectives, its security requirements, the organizational processes it uses, and its size and structure influence how it establishes and implements such a system. The ISO/IEC 27000 family notes that all of these influencing factors are expected to change over time, which means that all entities should regularly evaluate their information security needs.

Regardless of which standards nonreporting entities choose to adopt, each of the standards addresses similar control areas, such as those described in Figure 2. For example, as we discuss earlier, SAM 5300 instructs reporting entities to use NIST 800‑53 as the minimum information security control requirements for reporting entities, but it adopts additional standards and procedures to address more specific requirements or needs unique to California. These additional standards are maintained in the Statewide Information Management Manual. In addition, NIST 800-53 includes a section that shows how its security controls map to comparable security controls in the ISO/IEC 27000 family, demonstrating how the two standards align. When they adopt standards, nonreporting entities make it possible for internal and external parties to assess their ability to meet the information security requirements they have established.

Figure 2
Five Key Control Areas of Information Security Standards

A flow chart that describes the five key control areas required in the information security standards.

Source: ISO/IEC 27000 family, NIST 800-53, and SAM 5300.

Information Security Is a High-Risk Issue

We previously reported on the deficiencies we identified in the security controls that state agencies have implemented over their information systems. The pervasiveness of these deficiencies led us to designate the technology department's oversight of information security as a high-risk issue. State law authorizes the California State Auditor (State Auditor) to develop a program for identifying, auditing, and reporting on high-risk state agencies and statewide issues. We first identified information security as a high-risk issue in our September 2013 audit report High Risk: The California State Auditor's Updated Assessment of High-Risk Issues the State and Selected State Agencies Face, Report 2013‑601. The report concluded that the technology department was performing limited reviews to assess the security controls that reporting entities had implemented for their information systems; it also discussed the deficiencies in such controls that we noted at two of the reporting entities we audited.

Two years later, in our August 2015 follow-up report, High Risk Update—Information Security: Many State Entities' Information Assets Are Potentially Vulnerable to Attack or Disruption, Report 2015-611, we found that few of the state entities under the oversight of the technology department had fully complied with the State's mandated information security and privacy policies, standards, and procedures. For example, when we performed compliance reviews of selected information security requirements at five reporting entities, we found that each had deficiencies. Similarly, our survey of reporting entities for that report showed that 73 of the 77 respondents reported that they had yet to achieve full compliance with the State's requirements. We also observed that a significant number of entities—such as constitutional offices and those in the judicial branch—are not subject to the technology department's security standards. Given the significant findings we identified in our August 2015 report and the pervasiveness of the information security issues that we identified in previous reports—including significant deficiencies we discovered in the controls that two nonreporting entities had implemented over their information systems—we stated our intent in that report to assess the information security risks associated with nonreporting entities.

Finally, we included an update to this high-risk issue in our January 2018 audit report High Risk: The California State Auditor's Updated Assessment of High-Risk Issues the State and Select State Agencies Face, Report 2017-601. In that update, we reported that although information security remains a high-risk issue to the State, the technology department has made progress in its oversight, and reporting entities have increased their compliance with SAM 5300. We also reiterated that the information security practices of state entities outside the purview of the technology department might warrant further investigation in the future. The information security status for such nonreporting entities is the subject of this report.






Back to top